Details
-
Bug
-
Status: Open
-
Low
-
Resolution: Unresolved
-
None
-
Cassandra version: 2.2.12 Java: 1.8.0_181 SLES11
-
Low
Description
Changing from JKS to PKS12 store_type doesn't work for client_encryption_options. for server_encryption_options it is not a problem.
I use:
client_encryption_options:
enabled: true
optional: false
keystore: keystore.p12
keystore_password: keystorepass
truststore: truststore.p12
truststore_password: keystorepass
store_type: PKCS12
but get this error:
ERROR 06:34:36 Exception encountered during startup
java.lang.RuntimeException: Unable to create thrift socket to /192.168.1.2:9160
{{ at org.apache.cassandra.thrift.CustomTThreadPoolServer$Factory.buildTServer(CustomTThreadPoolServer.java:270) ~[apache-cassandra-2.2.12.jar:2.2.12]}}
{{ at org.apache.cassandra.thrift.TServerCustomFactory.buildTServer(TServerCustomFactory.java:46) ~[apache-cassandra-2.2.12.jar:2.2.12]}}
{{ at org.apache.cassandra.thrift.ThriftServer$ThriftServerThread.<init>(ThriftServer.java:131) ~[apache-cassandra-2.2.12.jar:2.2.12]}}
{{ at org.apache.cassandra.thrift.ThriftServer.start(ThriftServer.java:58) ~[apache-cassandra-2.2.12.jar:2.2.12]}}
{{ at org.apache.cassandra.service.CassandraDaemon.start(CassandraDaemon.java:453) [apache-cassandra-2.2.12.jar:2.2.12]}}
{{ at org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:548) [apache-cassandra-2.2.12.jar:2.2.12]}}
{{ at org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:642) [apache-cassandra-2.2.12.jar:2.2.12]}}
Caused by: org.apache.thrift.transport.TTransportException: Error creating the transport
{{ at org.apache.thrift.transport.TSSLTransportFactory.createSSLContext(TSSLTransportFactory.java:210) ~[libthrift-0.9.2.jar:0.9.2]}}
{{ at org.apache.thrift.transport.TSSLTransportFactory.getServerSocket(TSSLTransportFactory.java:104) ~[libthrift-0.9.2.jar:0.9.2]}}
{{ at org.apache.cassandra.thrift.CustomTThreadPoolServer$Factory.buildTServer(CustomTThreadPoolServer.java:256) ~[apache-cassandra-2.2.12.jar:2.2.12]}}
{{ ... 6 common frames omitted}}
Caused by: java.io.IOException: Invalid keystore format
{{ at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:658) ~[na:1.8.0_181]}}
{{ at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56) ~[na:1.8.0_181]}}
{{ at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:215) ~[na:1.8.0_181]}}
{{ at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70) ~[na:1.8.0_181]}}
{{ at java.security.KeyStore.load(KeyStore.java:1445) ~[na:1.8.0_181]}}
{{ at org.apache.thrift.transport.TSSLTransportFactory.createSSLContext(TSSLTransportFactory.java:195) ~[libthrift-0.9.2.jar:0.9.2]}}
{{ ... 8 common frames omitted}}
Looks like the store_type option is not set properly for client encryption.
If I don't use the store_type: PKCS12 option the error accuses earlier at the startup
INFO 06:43:46 Enabling encrypted CQL connections between client and server
Exception (java.lang.RuntimeException) encountered during startup: Failed to setup secure pipeline
java.lang.RuntimeException: Failed to setup secure pipeline
so from my point of view it looks like the option is set, but not everywhere it should.
I also use PKCS12 stores for server encryption. It works fine there.